Mosquitto

An Open Source MQTT v3.1/v3.1.1 Broker

Mosquitto is an open source (BSD licensed) message broker that implements the MQ Telemetry Transport protocol versions 3.1 and 3.1.1. MQTT
provides a lightweight method of carrying out messaging using a
publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or microcontrollers like the Arduino.
A good example of this is all of
the work that Andy Stanford-Clark (one of the originators of MQTT) has done
in home monitoring and automation with his twittering house and twittering
ferry. Andy gave a talk on this at OggCamp that explains a bit about MQTT and
how he uses it. The slides and audio are available online at slideshare.

This is a feature release and is also the first release of the mosquitto project from the Eclipse Foundation umbrella. The code is now dual licenced under the EPL/EDL. The EDL and BSD 3 clause license are essentially identical so if you were happy with the BSD license then you should be happy with the EDL.

Files distributed will remain in the same place but will in some cases also be available on the Eclipse download servers.

Important changes

Websockets support in the broker.

Bridge behaviour on the local broker has changed due to the introduction of the local_* options. This may affect you if you are using authentication and/or ACLs with bridges.

The default TLS behaviour has changed to accept all of TLS v1.2, v1.1 and v1.0, rather than only one version of the protocol. It is still possible to restrict a listener to a single version of TLS.

The Python client has been removed now that the Eclipse Paho Python client has had a release.

When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.

New use_username_as_clientid option on the broker, for preventing hijacking of a client id.

The client library and clients now have experimental SOCKS5 support.

Wildcard TLS certificates are now supported for bridges and clients.

The clients have support for config files with default options.

Client and client libraries have support for MQTT v3.1.1.

Bridge support for MQTT v3.1.1.

Broker

Websockets support in the broker.

Add local_clientid, local_username, local_password for bridge connections to authenticate to the local broker.

Default TLS mode now accepts TLS v1.2, v1.1 and v1.0.

Support for ECDHE-ECDSA family ciphers.

Fix bug #1324411, which could have had unexpected consequences for delayed messages in rare circumstances.

Add support for “session present” in CONNACK messages for MQTT v3.1.1.

When using “log_dest file” the output file is now flushed periodically.

Clients

Both clients can now load default configuration options from a file.

Add -C option to mosquitto_sub to allow the client to quit after receiving a certain count of messages. Closes bug #453850.

Add –proxy SOCKS5 support for both clients.

Pub client supports setting its keepalive. Closes bug #454852.

Add support for config files with default options.

Add support for MQTT v3.1.1.

Client library

Add experimental SOCKS5 support.

mosquitto_loop_forever now quits after a fatal error, rather than blindly retrying.

SRV support is now not compiled in by default.

Wildcard TLS certificates are now supported.

mosquittopp now has a virtual destructor. Closes bug #452915.

Add support for MQTT v3.1.1.

Don’t quit mosquitto_loop_forever() if broker not available on first connect. Closes bug #453293, but requires more work.

Dependencies

This release introduces two new dependencies, libwebsockets and libuuid. Both are optional. libuuid comes from the e2fsprogs project and allows the broker to generate random client ids for MQTT v.3.1.1. The libwebsockets dependency can use either libwebsockets 1.3 or 1.2.x, with 1.3 being the preferred choice.

The mosquitto project has, or can get, access to a wide variety of different systems to help with development. One important platform for which this is not true is Mac OS X. There are sufficient differences between Macs and other systems that this makes life difficult.

To this end, I would like to reach out to the mosquitto community to ask for help with obtaining either

A remote login on a Mac system

Donation of hardware

Donation of money to buy some hardware

I have been offered a remote account by a few individuals in the past, for which I’m very grateful, but only on a short term basis and, understandably, with limited control. Something on a longer term, with the ability to install packages would be much more useful. Unfortunately I realise this is relatively difficult to offer.

On the hardware side of things, there isn’t a need for a modern, powerful computer. A second hand Mac Mini of Core2Duo vintage with 1GB RAM and a reasonably modern version of Mac OS X would be quite sufficient, and ideal for me in terms of the space it takes up. Regrettably I feel I would have to turn down offers of an old iMac or Mac Pro.

2007-era Mac Minis go on Ebay UK for around £100. I’m hopeful that there is a company out there using mosquitto, likes Macs and for whom £100 would be a drop in the ocean. If so, or any individuals want to help out with a small donation towards this, please get in touch directly to roger@atchoo.org or head over to the downloads page to see the paypal donation link, and thanks very much in advance.

Update:

I have now awaiting delivery of a Mac mini. Thanks very much to all of you that have contributed, it is very much appreciated. If you would still like to support mosquitto development please don’t let this put you off…

Details of the POODLE attack that targets SSLv3 have been released recently. Mosquitto has never provided support for SSLv3 (or SSLv2) so should not be vulnerable to this attack and does not require any configuration changes.

Version 1.3.4 introduced the change that when using TLS with require_certificate set to false, the client is no longer asked for a client certificate. This seemed to be causing problems in some situations, particularly with embedded devices.

If use_identity_as_username is set to true when require_certificate is set to false, then the client will not be asked for a certificate, even if it has one configured. This means that the client will be refused access with connack code 4, “bad username or password”, because if use_identity_as_username currently requires that a certificate is present, even if allow_anonymous is set to true.

This change may cause unexpected results, but does not represent a security flaw because the change results in more clients being rejected than would otherwise have been.

Broker

Fix possible memory leak when using a topic that has a leading slash. Fixes bug #1360985.

Fix saving persistent database on Windows.

Temporarily disable ACL checks on subscriptions when using MQTT v3.1.1. This is due to the complexity of checking wildcard ACLs against wildcard subscriptions. This does not have a negative impact on security because checks are still made before a message is sent to a client. Fixes bug #1374291.

When using -v and the broker receives a SIGHUP, verbose logging was being
disabled. This has been fixed.

Client library

This is a bugfix release. The reason for the rapid release of the past two versions is down to a Debian developer reviewing the mosquitto package. This is a good opportunity to ensure that as bug free a version as possible is present in Debian.

Broker

Don’t ask client for certificate when require_certificate is false.

Backout incomplete functionality that was incorrectly included in 1.3.2.

Broker

Security

A bug in the way that mosquitto handles authentication plugins has been identified. When using a plugin for authentication purposes, if the plugin returns MOSQ_ERR_UNKNOWN when making an authentication check, as might happen if a database was unavailable for example, then mosquitto incorrectly treats this as a successful authentication. This has the potential for unauthorised clients to access the running mosquitto broker and gain access to information to which they are not authorised. This is an important update for users of authentication plugins in mosquitto.